Information security and practice: The user's perspective

Document Type



Academic Conferences Limited


Security Research Institute




Originally published as : Clarke, Nathan, et al. "Information Security and Practice: The User's Perspective." International Conference on Cyber Warfare and Security. Academic Conferences International Limited, 2016. Article available here


The use of Information Technology (IT) has become common practice in our everyday lives both for business and private purposes. While people enjoy the convenience that IT offers, it also poses various security threats if not used properly, including malware, hacking, and information disclosure. Unfortunately, the scale and consequence of cyber threats has increased significantly year-on-year despite various security controls having been developed and deployed. It is evident that end users play a significant role within the information security domain, as they are frequently the primary target and the main force behind incidents. Nonetheless, whilst there are annual security surveys for organisations, less effort were given regarding assessing how individuals practice information security by the research community. Therefore, this paper presents a survey that investigates user's IT security practice and behaviour. In total, 400 respondents were surveyed during a five month period (i.e. November 2014 - March 2015). Overall, the results demonstrate that end users practice better IT security than typically thought although it appears only at a relatively basic level. For example, whilst a reasonably good proportion of participants (66%) claimed that they never share their passwords with others, 76% have used the same password on multiple sensitive accounts. Almost three quarters (72%) of responders never click on links or attachments within emails from unknown sources, but this is significantly reduced (to 36%) when someone they knew sent the email. Two-thirds of users (65%) do appreciate the importance of antivirus software as they always keep their antivirus software updated; however, less care is given to other applications/systems as only 44% would do the same and more alarmingly 65% even cancel or delay the security update process. Over two thirds (68%) of participants do not always backup their data, and only half of the participants (53%) claimed that they always destroy their data before hardware disposal. The results of the survey suggest that whilst levels of awareness are improving, there is still a significant gap between existing and required levels of information security knowledge and practice. Arguably, users are currently being overwhelmed by the burden being placed upon them to remain secure. The range of technologies they use (60% using more than 3 devices), the widespread use of online services (89% using at least 5 IT services) highlight users are becoming or have become technology dependent but perhaps without being security savvy.